Securing SIP Trunks APPLICATION NOTE.

Transcription

1 APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN) over the Internet using the Session Initiation Protocol (SIP) Voice over Internet Protocol (VoIP) standard. Deploying SIP trunks enables enterprises to take full advantage of VoIP and eliminate costly Time-Division Multiplexing (TDM) trunks and TDM gateways. Enterprises route calls over the carrier s IP backbone and use the same IP connection for all their communications. Once enterprises decide to deploy one or more SIP trunks, however, they must address several important security and deployment issues. In particular, enterprises must consider the following security questions: Do the enterprise and the service provider have the same security requirements? Do the service provider and the enterprise have the same security policies for employees, networks, and VoIP system? How can the enterprise maintain control over signaling, media, security, and routing policies? How does the enterprise address new SIP or media threats to the enterprise infrastructure or to the service provider s infrastructure? What changes must the enterprise make to the firewall/network address translation (NAT) device, IP PBX, private IP addresses, numbering plan, and other components? Must the enterprise network topology be exposed? How does the enterprise ensure user/caller ID privacy? How does the enterprise ensure the privacy of actual media communications? How is actual media privacy ensured? Is encryption required? If so, must it be end-to-end? To ensure the deployment of secure SIP trunks, enterprises must implement a solution that addresses all of these questions. Sipera Systems offers a comprehensive unified communications (UC) security solution that enables enterprises to do just that, while defining a security boundary between themselves and the service provider.

2 PROBLEM An enterprise s IP PBX and other UC infrastructure components are not only valuable enterprise assets; they are critical components required for VoIP and UC services. Typically, enterprises control network access to these components through the use of virtual local area networks (VLANs), access control lists (ACLs), and firewalls. However, when enterprises provide connectivity over SIP trunks, opening access to critical resources over WANs and opening ports on the firewall present serious security challenges. Maintaining control over their own security requirements may also raise issues. Different enterprise and service provider security requirements Typically, a SIP trunk provider has one set of security requirements whereas its enterprise customers have diverse security requirements. For example, enterprises standardize on different operating systems, implement security policies differently, define different firewall rules, require different password lengths, and may differ in their need to use two-factor authentication for remote users. In the case of VoIP and UC, these varying security requirements are particularly important. Instead of being forced to adopt the standards of their SIP trunk providers, enterprises must be able to enforce their own unique security standards and maintain control over all aspects of their unified communications to: Ensure secure deployment of their SIP trunks Improve overall network security Determine the specific signaling, media, and applications that are allowed or denied access to their networks to ensure the quality of service (QoS) required for VoIP and UC services Define fine-grained security policies that are enforced based on network, user, device, and time-of-day Protection against VoIP and UC protocol vulnerabilities VoIP offers many more real-time services than data including transfer, conference, and hold, making VoIP protocols more complex, flexible, and exploitable. (Because of this, more than 50 requests for comments, or RFCs, exist for SIP in the IETF, compared with only about10 for HTTP, which has been around more than twice as long.) With known ports open on the firewall to allow VoIP and UC traffic through, enterprises must perform deep-packet inspection and continuously police application traffic to protect the VoIP network, endpoints, and IP PBXs from thousands of application-layer attacks that can cause IP PBX crashes, lost services, and degradation of voice quality. These VoIP/UC-specific application layer attacks include: Reconnaissance Spoofing Eavesdropping Signaling and media manipulation Service theft/fraud Denial of Service (DoS)/Distributed DoS attacks Fuzzing and buffer overflow exploits VoIP spam VoIP phishing Confidentiality and privacy concerns When VoIP traffic is sent over the Internet, both signaling and media traffic must be encrypted to ensure complete privacy of real-time communications. Attackers can use sniffing methods to easily exploit signaling traffic for reconnaissance purposes and to learn detailed call-related information (such as caller and called party IP addresses, date, and time of the call). Media must be encrypted to ensure privacy of the actual communication. However, encrypting media traffic poses the additional challenge of ensuring acceptable QoS without degrading performance. The problem is compounded in terms of management and operational costs if the artificial requirement for a VPN client on the phone or a home VPN gateway is imposed. Private addressing, firewalls and network address translation (NAT) IP addresses in SIP messages and message headers that are exchanged between the service provider and enterprise network must be routable IP addresses in the service provider s network. Unlike data applications, VoIP uses dynamic ports for peer-to-peer media flows between phones. For SIP trunks to work, enterprises must make the following major changes to their firewall policies for performing NAT functionality and protecting internal, private IP addresses.

3 Enterprise firewall policies must support opening dynamic ports for media, which weakens security. Enterprises must provide internal, private IP addresses that are routable in the service provider s network to support SIP message exchanges between enterprise and service provider networks. Access and authorization Before establishing a signaling or media session, remote users must be authenticated. This authentication can be done in a variety of ways, including the use of digest access authentication or certificates. Many enterprises require the use of two-factor authentication schemes such as RSA SecurID for remote access to prevent unauthorized calls on stolen or lost phones. Policy compliance for UC traffic To deploy SIP trunks without compromising established security policies, enterprises must also enforce fine-grained UC policies. VoIP and IT administrators must control voice, video, IM, and other UC applications by defining the way the applications are used and the networks, devices, and users that are authorized to interact with the applications. Policies for mobile users and devices must be dynamic and flexible to satisfy these requirements. SOLUTION The Sipera UC-Sec security appliances offer real-time UC security, including comprehensive threat protection, policy enforcement, access control, and privacy to address the issues of SIP trunk deployments. Built on the foundation of the Sipera VIPER engine and real-time platform, the UC-Sec appliances perform the following functions for securing SIP trunks: Serves as the demarcation point for the enterprise VoIP and UC network and enforces fine-grained security policies. Protects against SIP and Real-time Transport Protocol (RTP) threats by blocking them at the enterprise perimeter. Maintains privacy of the enterprise internal network, caller/user IDs, and communications. Performs firewall/nat traversal to simplify the deployment of SIP trunks. Demarcation of the enterprise and service provider VoIP/UC network Enterprises must enforce a demarcation point between their VoIP/UC boundary and the service provider using a UC security appliance like the firewalls and demilitarized zones (DMZs) they install in their data networks. The UC-Sec security appliance becomes this demarcation point and performs all security functions required to enforce enterprise security policies. UC-Sec also provides information from both the enterprise side and service provider side for QoS or service availability such that appropriate service level agreements (SLAs) can be verified and enforced. In addition, enterprises must define policies for VoIP and UC traffic that apply to the SIP trunk. For example, policies might define: Users that are allowed to make voice and video calls The SIP trunk to use for international dialing Trunks that require encryption and threat protection Calls that must be logged and whether or not to report the QoS Enterprises that have multiple departments with different security requirements and applications may require more flexible, fine-grained policy control. Frequently enterprises use multiple routes to reach the PSTN. Enterprises might also have multiple internal call servers and require flexible SIP routing policies at the edge. Sipera s UC-Sec offers fine-grained UC policy control based on network, user, device and time-of-day to give enterprises complete control over their UC infrastructure, devices, and users. Addressing the vulnerabilities and threats in SIP and RTP When traffic from the service provider WAN comes into the corporate intranet to high value assets such as VoIP servers, the traffic must pass through a VoIP security appliance, such as the UC-Sec product, which inspects and validates the traffic.

4 UC-Sec is VoIP-aware and performs deep-packet inspection and tracks call states, which is crucial for UC threat mitigation. The UC-Sec appliance also has a signature update mechanism to enable that same protection against new threats. Maintaining privacy of network topology and internal domains Enterprises require a VoIP/UC-aware appliance at the edge of their networks to hide internal network topology and SIP domain information. Sipera s UC-Sec changes private IP addresses to public IP addresses and changes private internal domains to public SIP domains in SIP messages to prevent exposure of the enterprise network topology. UC-Sec also supports: User/caller ID anonymity User privacy SIP standards that interwork with service providers SIP trunks Encryption of signaling traffic over Transport Layer Security (TLS) and encryption of media traffic over Secure RTP (SRTP) Communicating and interworking disjoint private networks Enterprise firewalls and DMZs enforce strict policies and perform NAT functions to ensure that internal enterprise networks and servers have private addresses that are not directly routable from external networks. Without overhauling these security policies, the Sipera UC-Sec appliance provides NAT traversal for signaling traffic and manages dynamic ports for media traffic. UC-Sec also participates in the signaling traffic to allow only those media sessions that follow the session specification agreed upon in the signaling channel. Unified Communications Security Life Cycle Unified Communications Security Life Cycle 1. Define Security Requirements Compare business objectives for UC with impact on information security compliance: HIPAA, PCI, FERPA, GLBA and others Define Security Assess Posture 2. Assess Security Posture Identify vulnerabilities, assess risk, determine gap between posture and requirements, consider impact on real-time application performance 4. Manage Compliance Review established posture, manage change, gather new requirements as business objectives and regulatory mandates change Manage Compliance Implement Measures 3. Implement Security Measures Optimize security posture and application performance; configure policy enforcement, threat protection, access control, privacy (encryption) Companies around the world rely on Sipera Systems to ensure their UC and VoIP deployments support compliance with information security requirements and mission-critical corporate objectives. Through dozens of successful vulnerability assessments, security architecture consulting projects, and security appliance deployments, Sipera has developed a standardized Unified Communications Security Life Cycle. This process represents a best practice for continuous improvement of the security architecture, enabling an enterprise to be certain that essential security functions can keep pace with the transforming communications infrastructure. To learn more about Sipera s solutions and for personal consultation about your UC security requirements, please visit

5 IMPLEMENTATION To enable secure SIP trunks, a single Sipera UC-Sec security appliance is deployed at the customer premise, between the internal and external firewalls, to provide complete network security, enforce security policies, and handle other SIP trunk deployment issues for the enterprise network. In the deployment shown in the following figure, Sipera UC-Sec performs border control functionality such as FW/NAT traversal (as shown in step 1), interworking, security policy enforcement based on fine-grained UC policies, and threat protection to prevent denial of service, spoofing, and stealth attacks. Because the UC-Sec product is a trusted host in the DMZ, SIP signaling traffic to the enterprise is received by the external firewall and sent to the Sipera appliance, which processes the signaling information. If the SIP signaling traffic is encrypted, UC-Sec decrypts all TLS-encrypted traffic and looks for anomalous behavior before forwarding the packets through the internal firewall to the appropriate IP PBX to establish the requested call session (as shown in step 2). Once a valid call has been set-up, RTP packets are allowed to flow through the external firewall to the Sipera UC-Sec product, which decrypts the SRTP traffic (if required) and looks for anomalous behavior in the media before passing on the RTP stream to the intended recipient (as shown in step 3). RESULT The popularity of SIP trunks is primarily due to cost savings and the increased reliability offered through service provider service level agreements (SLAs). SIP Trunks can deliver much lower cost local, toll-free, domestic, and international long distance services to any enterprise willing to replace its PSTN connectivity. They also offer a unique opportunity for large, distributed enterprises to consolidate their VoIP/UC infrastructure and connectivity to the PSTN. Therefore, it s not surprising that enterprises embrace SIP Trunks as a means to replace costly PSTN trunks and gateways, while using real-time, unified communications ubiquitously over IP networks. In some cases, enterprises use multiple SIP trunks with different providers for disaster recovery, redundancy, or to enable different applications. However, without solving network security and demarcation challenges, SIP trunks cannot be deployed on a large scale. The Sipera UC-Sec product offers a comprehensive security solution with threat protection, access control, policy enforcement, and privacy protection in a single device, enabling enterprises to address all of these challenges and securely deploy SIP trunks. ENTERPRISE IP PBX Intranet Internal Firewall 1. FW/NAT Traversal 2b. Apply VoIP/UC Policies Detect and Prevent VoIP/UC Threats Perform Interworking Functions 2c. Signaling Over TCP/UDP 2a. Encrypted signaling Over TLS 3a. SRTP Media ITSP 3c. RTP Media Sipera UC-Sec deployed in high-availability mode DMZ External Firewall PSTN 3b. Media Anomaly Detection & Prevention

Security Best Practices for Enterprise VoIP Preventing Attacks and Managing Risk A Sipera White Paper September 2007 Summary To take full advantage of unified communications (UC), enterprises are extending

Implementing VoIP monitoring solutions Deployment note Introduction With VoIP being an integral part of modern day business communications, enterprises are placing greater emphasis on the monitoring and

Executive Summary Enterprise communications is in a state of transformation. Businesses are replacing conventional PBX systems with VoIP and Unified Communications (UC) solutions and cloud-based services

SIP Trunking Connectivity, Security and Deployment Scenarios Introduction Enterprises have traditionally based their voice communications on an in-premises telephony switch the PBX. Until recently, the

Small Logo SIP Trunking: Deployment Considerations at the Network Edge at the Network Edge Executive Summary The move to Voice over IP (VoIP) and Fax over IP (FoIP) in the enterprise has, until relatively

UC Firewall and Session Border Controller Security within and beyond the boundaries Security within and beyond your network s boundaries Our connected world We are living and working in a new world that

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server Quick Start Guide October 2013 Copyright and Legal Notice. All rights reserved. No part of this document may be

VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

Introduction Voice Over IP and Firewalls By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Use of Voice Over IP (VoIP) in enterprises is becoming more and more

A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

ENTERPRISE VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There Q&A Session Date: Wednesday, April 13, 2011 Q: You have to partner with a provider in order to do SIP trunking, correct?

A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

The role of the Session Border Controller in a GENBAND SIP Business Trunking Solution SIPCONNECT is a certification mark of the SIP Forum, LLC. White Paper February 2011 Introduction Today s businesses

White Paper Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future What You Will Learn The future of the Department of Defense s (DoD) networks focuses on the

Security and the Mitel Teleworker Solution White Paper July 2007 Copyright Copyright 2007 Mitel Networks Corporation. This document is unpublished and the following notice is affixed to protect Mitel Networks

Acme Packet session border controllers in the enterprise Large enterprises have been expanding their deployments of IP telephony (IPT) for several years now. Planning has already begun to extend the benefits

S-Series SBC Interconnect Solutions A GENBAND Application Note May 2009 Business Requirements A ubiquitous global voice service offering is the challenge among today s large service providers. The need

SIP SECURITY JULY 2014 Executive Overview As with any data or communication service, it s important that all enterprises understand potential security issues related to SIP Trunking. This paper provides

SIP Trunking and the Role of the Enterprise SBC a Tango Networks ebriefing SIP trunks offer companies of all sizes the opportunity to improve and simplify their communications network while reducing costs.

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

Building the Lync Security Eco System in the Cloud Fact Sheet. [Type text] The need to secure all entries to the fastest growing Unified Communication application (UC) and allow for complete inter-operability

Voice over IP Basics for IT Technicians White Paper Executive summary The IP phone is coming or has arrived on desk near you. The IP phone is not a PC, but does have a number of hardware and software elements

Session Control Applications for Enterprises Driven by Strong Secular Growth Trends The adoption of SIP trunking The explosion of wireless and opt-in communications The emergence of OTT service providers

VOIP THE ULTIMATE GUIDE VERSION 1.0 9/23/2014 onevoiceinc.com WHAT S IN THIS GUIDE? WHAT IS VOIP REQUIREMENTS OF A VOIP SYSTEM IMPLEMENTING A VOIP SYSTEM METHODS OF VOIP BENEFITS OF VOIP PROBLEMS OF VOIP

Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in